Him, an adventurer, CISO, soldier, Marine, law officer, author, professor, spy, yachty, motorcyclist, photographer. Her, was the church lady librarian, got divorced, joined a motorcycle gang, became a hacker, and world adventurer.

Share this:

Post navigation

1 comment for “Infosec Risk Management (graphic)”

LongTabSigO

February 26, 2016 at 9:39 am

I staffed this graphic with my work colleagues in a Cyber Defense unit. Our Tech Director offered this feedback:

I would argue that the formula can be improved upon in that there is a
denominator for Impact as well. There are system design aspects that are
specifically meant to minimize the impact an actor can have assuming they
managed to break (past) countermeasures. For example, network segmentation,
encrypting data at rest, IP randomization technology, virtualization, etc.
Those are not “countermeasures”, they aren’t designed to mitigate specific
“vulnerabilities”, and they aren’t standard security controls, but they are
meant to limit “impact”.

It is one of the fundamental weaknesses in our existing architecture, we
continue to bolt on “security appliances” to enable near real-time
countermeasures, but once those countermeasures are defeated, we are soft and
gooey on the inside. We have not invested in the fundamental architectural
changes necessary to limit impact. You cannot defend the un-defendable. It
would be akin to building ships with no watertight integrity and then bolting
on rubber bumpers in the hope that inbound missiles would merely bounce off
the ship. However, if one of the bumpers is breached, down goes the ship.

RSS Links

Cyber?

Cyber security and the technologies of securing the information enterprise of industry and government require a trans-disciplinary while still STEM focused research agenda. The term “cyber” itself denotes a human cognitive centric concept that deals with the disintermediation of technology centered within human activity. The changing focus from system threat mitigation to enterprise risk management has opened completely new areas of inquiry into security.